Re: Redirecting htaccess over SSL, then back to port 80?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Getting back to the original subject:

Assuming you're doing standard HTTP Authentication, it doesn't work
that way.  Once you get the login popup, every subsequent request by
the browser sends the same authentication token (username & password
in clear text) to the server.

You're right -  the Authentication: header is sent back on subsequent
requests. However I have done some testing with mod_forensic  to log
which headers the client is sending. These are my findings:

1. User goes to a page which requires authentication over SSL
https://mysite/securedir/  - prompted for user/pass.
Authorization: header added with base64 encoded string

2. User visits any other pages on same server, over SSL
Eg: https://mysite.tld/some-other-dir/  and Authorization: header
stays with them. Browser keeps sending it. That's OK.

3. User clicks on a link back to the port 80 version of the site.
http://mysite.tld/index.html   - The browser no longer seems to
send the Authorization: header . It sees the http and https sites
as different sites.

If this is the case, then would the following approach work?

1) If detect .htaccess redirect to SSL version of site
2) user authenticates over SSL and accesses the pages they are interested in.
3) At some point, they click a menu link etc, and go back to port 80 and password
    is not exposed.


Paul


Hence, doing SSL for the first request doesn't really add to your
security since all the other requests would send the username &
password in clear text (some people think the user & pass are
"encrypted" but it's really just base64 encoding).

--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.
   -- Benjamin Franklin

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





--
Paul Reilly
Systems Group
IS Services
Trinity College Dublin
e: paul.reilly@xxxxxx
p: +353-1-896-2152
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux